LDAP-UX Client Services B.05.00 Administrator's Guide
----------- -------------
name: cn
gid: gidnumber
members: memberuid memberURL
member uniquemember
LDAP-UX retrieves group members and processes groups that a specific user belongs to by
looking into all configured attributes. If needed, you can create a group which include both static
and dynamic members. When returning group members, LDAP-UX will return both static and
dynamic members that belong to a specific group.
When processing dynamic group attributes, LDAP-UX combines the search filter of the passwd
service from the profile with the search filter specified in membeURL (e.g. the last component in
memberURL) or nxSearchFilter to retrieve group members. This is to make sure that group
members returned are POSIX accounts and meet the configuration set for LDAP-UX.
4.3.1 Examples
The following is an example of the output of
/opt/ldapux/config/display_profile_cache:
PASSWD Service Configuration
Attribute: is mapped to:
---------- --------------
name: uid
uid number: uidnumber
.....
Search Descriptor
search[0]: dc=example,dc=hp,dc=com?sub?
(objectclass=posixaccount)
The sample group entry is:
dn: cn=mygroup,ou=Groups,dc=example,dc=hp,dc=com
objectClass: groupofnames
objectClass: groupofuniquenames
objectClass: posixgroup
objectClass: groupofurls
objectClass: top
cn: mygroup
gidNumber: 100
memberUid: user1
member: uid=user2,ou=people,dc=example,dc=hp,dc=com
uniqueMember: uid=user3,ou=people,dc=example,dc=hp,dc=com
memberURL: ldap:///dc=example,dc=hp,dc=com??sub?(uid=p*)
When processing memberURL to retrieve dynamic members, LDAP-UX combines
(objectclass=posixaccount) from passwd configuration with (uid=p*) as the search
filter to search the tree of "dc=example,dc=hp,dc=com".
With the above attribute mappings, LDAP-UX will return user1, user2, user3 and all users
starting with "p" as group members.
4.3.2 Group attribute mappings
To enable the dynamic group feature support, you must run the setup program to remap the
default group attribute, memberuid, to the dynamic group attribute, memberURL. If memberURL
is not mapped to memberUid, LDAP-UX will not process dynamic groups.
The attribute mappings are done in step 10 of the Custom Configuration. For detailed information
on how to remap the group attributes, see Section 2.4.5.2 (page 73).
Table 4-1 shows attribute mappings between the default group attribute and alternate group
attributes:
4.3 Multiple group attribute mappings 125